Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| apwoqw.sn.files.1drv.com |
CNAME
sn-files.fe.1drv.com
CNAME
l-0003.l-msedge.net
|
13.107.42.12 |
| onedrive.live.com |
CNAME
l-0004.l-msedge.net
|
13.107.42.13 |
- UDP Requests
-
-
192.168.56.101:59369 164.124.101.2:53
-
192.168.56.101:61479 164.124.101.2:53
-
192.168.56.101:62324 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:62327 239.255.255.250:1900
-
192.168.56.101:62329 239.255.255.250:3702
-
192.168.56.101:62331 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.101:123
-
GET
302
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21110&authkey=AAUF6ri1a1Q3BDE
REQUEST
RESPONSE
BODY
GET /download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21110&authkey=AAUF6ri1a1Q3BDE HTTP/1.1
User-Agent: zipo
Host: onedrive.live.com
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://apwoqw.sn.files.1drv.com/y4mzJ_o-QT3s9l6T9nPYpPZaAIli0HjF2u-yV90Ep0j9sUw4d4AC3WMJF-OM-e4LDZfK_gHXQz-7rW9aUF9wWN9ocRuUBJnOJUhaJpnrvi99K5q63LiHnE-C3aVvYQlagO8yYkqMQ5hGOvRFQrgIRCLIciuGM5xuXo1KkUMW24XNJSgTWUSb-ApWVb0FW9kvFli9ei14VOJoLsJ85KxubDk1w/Xoydyzhptetusfxrsnlrjeibgzoqnla?download&psid=1
Set-Cookie: E=P:hWC6w91T2Yg=:Pznh/b7qqk01P15IHQRUUm7wtYNzmuV8TNXtYIKSkaY=:F; domain=.live.com; path=/
Set-Cookie: xid=12a9b27a-37ca-4407-8c43-71845d263cd6&&RD00155D7D9169&255; domain=.live.com; path=/
Set-Cookie: xidseq=1; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Sat, 31-Jul-2021 03:03:38 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Sat, 07-Aug-2021 04:43:38 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD00155D7D9169
X-ODWebServer: canadacentral1-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 9E2A2425D1D44B2AB61D4D663D70D355 Ref B: SLAEDGE1112 Ref C: 2021-07-31T04:43:38Z
Date: Sat, 31 Jul 2021 04:43:38 GMT
Content-Length: 0
GET
200
https://apwoqw.sn.files.1drv.com/y4mzJ_o-QT3s9l6T9nPYpPZaAIli0HjF2u-yV90Ep0j9sUw4d4AC3WMJF-OM-e4LDZfK_gHXQz-7rW9aUF9wWN9ocRuUBJnOJUhaJpnrvi99K5q63LiHnE-C3aVvYQlagO8yYkqMQ5hGOvRFQrgIRCLIciuGM5xuXo1KkUMW24XNJSgTWUSb-ApWVb0FW9kvFli9ei14VOJoLsJ85KxubDk1w/Xoydyzhptetusfxrsnlrjeibgzoqnla?download&psid=1
REQUEST
RESPONSE
BODY
GET /y4mzJ_o-QT3s9l6T9nPYpPZaAIli0HjF2u-yV90Ep0j9sUw4d4AC3WMJF-OM-e4LDZfK_gHXQz-7rW9aUF9wWN9ocRuUBJnOJUhaJpnrvi99K5q63LiHnE-C3aVvYQlagO8yYkqMQ5hGOvRFQrgIRCLIciuGM5xuXo1KkUMW24XNJSgTWUSb-ApWVb0FW9kvFli9ei14VOJoLsJ85KxubDk1w/Xoydyzhptetusfxrsnlrjeibgzoqnla?download&psid=1 HTTP/1.1
User-Agent: zipo
Host: apwoqw.sn.files.1drv.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 584704
Content-Type: application/octet-stream
Content-Location: https://apwoqw.sn.files.1drv.com/y4mgdF2fdXqhPWPDVJz-IqV5lZJDRC_p6gsZEGvyi6rYlSZzDt435gydM6InoV5FODxT9psm8C8oCrZ0fb8ZeH5-nUDOSoEk-Nf64WPh2ipGa6lEDBwdUG2NlS44lY8qXRagS9WWHeM5no2FI1vJQOxRcFpLGBd-e2KOAWQnpcgdm_wAduqdrWzmPLsG9Qq1ro8
Expires: Fri, 29 Oct 2021 04:43:39 GMT
Last-Modified: Fri, 30 Jul 2021 17:21:03 GMT
Accept-Ranges: bytes
ETag: D6676A9A61E841F3!110.2
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: SN3PPF2EDBAD472
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: bZUNacjZwk2xbTJV1FTcvg.0
X-SqlDataOrigin: S
CTag: aYzpENjY3NkE5QTYxRTg0MUYzITExMC4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="Xoydyzhptetusfxrsnlrjeibgzoqnla"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.716.706.2005
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 02CABBBE7E8E4445B56DE9F576C80025 Ref B: SLAEDGE1019 Ref C: 2021-07-31T04:43:39Z
Date: Sat, 31 Jul 2021 04:43:38 GMT
GET
302
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21110&authkey=AAUF6ri1a1Q3BDE
REQUEST
RESPONSE
BODY
GET /download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21110&authkey=AAUF6ri1a1Q3BDE HTTP/1.1
User-Agent: aswe
Host: onedrive.live.com
Cache-Control: no-cache
Cookie: E=P:hWC6w91T2Yg=:Pznh/b7qqk01P15IHQRUUm7wtYNzmuV8TNXtYIKSkaY=:F; xid=12a9b27a-37ca-4407-8c43-71845d263cd6&&RD00155D7D9169&255; xidseq=1; wla42=
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: -1
Location: https://apwoqw.sn.files.1drv.com/y4mSrGGVAPntb6QS1Pv0RM3aho-_3OvJ-xqz1r95_NP83E2s01BBsRKVp-fLaBE0NLAcHXFBDhbKS2Gitb_mLr08uiPYAQn3NBCHX8juozPNFKaAPySwap_2bH54MrvWS3DmbksVxwRcs8C0isffy72XdljYKOYDYlFtpv097Dyek633SvvwILTbefHz1YdpqruKOYuC1nDAOuQ9FSnIEJqjA/Xoydyzhptetusfxrsnlrjeibgzoqnla?download&psid=1
Set-Cookie: E=P:E7BvxN1T2Yg=:qFdopgebIwZYCDALsXcrvPzAhrPrhFOl05ZSscZQB6s=:F; domain=.live.com; path=/
Set-Cookie: xidseq=2; domain=.live.com; path=/
Set-Cookie: LD=; domain=.live.com; expires=Sat, 31-Jul-2021 03:03:39 GMT; path=/
Set-Cookie: wla42=; domain=live.com; expires=Sat, 07-Aug-2021 04:43:40 GMT; path=/
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
X-MSNServer: RD00155D7D9169
X-ODWebServer: canadacentral1-odwebpl
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: B02940F9D9EE4037B23C050D0469B67E Ref B: SLAEDGE1112 Ref C: 2021-07-31T04:43:39Z
Date: Sat, 31 Jul 2021 04:43:40 GMT
Content-Length: 0
GET
200
https://apwoqw.sn.files.1drv.com/y4mSrGGVAPntb6QS1Pv0RM3aho-_3OvJ-xqz1r95_NP83E2s01BBsRKVp-fLaBE0NLAcHXFBDhbKS2Gitb_mLr08uiPYAQn3NBCHX8juozPNFKaAPySwap_2bH54MrvWS3DmbksVxwRcs8C0isffy72XdljYKOYDYlFtpv097Dyek633SvvwILTbefHz1YdpqruKOYuC1nDAOuQ9FSnIEJqjA/Xoydyzhptetusfxrsnlrjeibgzoqnla?download&psid=1
REQUEST
RESPONSE
BODY
GET /y4mSrGGVAPntb6QS1Pv0RM3aho-_3OvJ-xqz1r95_NP83E2s01BBsRKVp-fLaBE0NLAcHXFBDhbKS2Gitb_mLr08uiPYAQn3NBCHX8juozPNFKaAPySwap_2bH54MrvWS3DmbksVxwRcs8C0isffy72XdljYKOYDYlFtpv097Dyek633SvvwILTbefHz1YdpqruKOYuC1nDAOuQ9FSnIEJqjA/Xoydyzhptetusfxrsnlrjeibgzoqnla?download&psid=1 HTTP/1.1
User-Agent: aswe
Host: apwoqw.sn.files.1drv.com
Cache-Control: no-cache
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 584704
Content-Type: application/octet-stream
Content-Location: https://apwoqw.sn.files.1drv.com/y4mgdF2fdXqhPWPDVJz-IqV5lZJDRC_p6gsZEGvyi6rYlSZzDt435gydM6InoV5FODxT9psm8C8oCrZ0fb8ZeH5-nUDOSoEk-Nf64WPh2ipGa6lEDBwdUG2NlS44lY8qXRagS9WWHeM5no2FI1vJQOxRcFpLGBd-e2KOAWQnpcgdm_wAduqdrWzmPLsG9Qq1ro8
Expires: Fri, 29 Oct 2021 04:43:40 GMT
Last-Modified: Fri, 30 Jul 2021 17:21:03 GMT
Accept-Ranges: bytes
ETag: D6676A9A61E841F3!110.2
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
X-MSNSERVER: SN3PPF90B1565C6
Strict-Transport-Security: max-age=31536000; includeSubDomains
MS-CV: NUWEjhBjq0e9kqvIr0X39A.0
X-SqlDataOrigin: S
CTag: aYzpENjY3NkE5QTYxRTg0MUYzITExMC4yNTc
X-PreAuthInfo: rv;poba;
Content-Disposition: attachment; filename="Xoydyzhptetusfxrsnlrjeibgzoqnla"
X-Content-Type-Options: nosniff
X-StreamOrigin: X
X-AsmVersion: UNKNOWN; 19.716.706.2005
X-Cache: CONFIG_NOCACHE
X-MSEdge-Ref: Ref A: 6C5739167A744389A9A83A857A024794 Ref B: SLAEDGE1116 Ref C: 2021-07-31T04:43:40Z
Date: Sat, 31 Jul 2021 04:43:39 GMT
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49200 -> 13.107.42.13:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49201 -> 13.107.42.12:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49202 -> 13.107.42.12:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49200 13.107.42.13:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | CN=onedrive.com | 24:8a:fb:ed:16:0d:11:c8:2f:65:3a:66:ca:f1:6f:60:ad:4c:cc:de |
|
TLSv1 192.168.56.101:49201 13.107.42.12:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com | 77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49 |
|
TLSv1 192.168.56.101:49202 13.107.42.12:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com | 77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49 |
Snort Alerts
No Snort Alerts